lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 2 Jul 2010 18:55:59 +0200
From:	Thomas Renninger <trenn@...e.de>
To:	Jason Baron <jbaron@...hat.com>, Andi Kleen <andi@...stfloor.org>
Cc:	LKML <linux-kernel@...r.kernel.org>, Hannes Reinecke <hare@...e.de>
Subject: Re: Dynamic Debug broken on 2.6.35-rc3?

On Thursday 01 July 2010 18:26:01 Jason Baron wrote:
> On Thu, Jul 01, 2010 at 05:44:19PM +0200, Thomas Renninger wrote:
> > 
> > Hi,
> > 
> > Doing:
> > echo "file ec.c +p" >/sys/kernel/debug/dynamic_debug/control
> > 
> > I got x
> > RIP: 0010:[<ffffffff81251267>]  [<ffffffff81251267>] 
> > ddebug_change+0x87/0x240
... 
> I just tried the same command on 2.6.35-rc3, and it worked fine. I
> noticed that the kernel your running is: "2.6.35-rc3-0.0.10.4cae135-default",
> so perhaps there are some other changes there causing this problem? Can
> you re-produce the bug on a purely upstream kernel?
I am able to create another crash with plain 2.6.35-rc3 kernel.
Find attached my .config.
I again initiated the crash by:
echo "file ec.c +p" >/sys/kernel/debug/dynamic_debug/control

First I got a crash in strcmp without a backtrace.

BUG: unable to handle kernel NULL pointer dereference at (null)
[  252.832036] IP: [<ffffffff8122b4f4>] strcmp+0x14/0x30
[  252.832036] PGD 37a76067 PUD 7a60c067 PMD 0
[  252.832036] Oops: 0000 [#1] SMP
[  252.832036] last sysfs file: /sys/devices/system/cpu/cpu3/cache/index2/shared_cpu_map

Thus I clustered lib/dynamic_debug.c with NULL pointer checks before
strcmp(), but couldn't find anything -> got other crashs.

Hmm, with attached config I can easily produce crashs, e.g.:
cat /sys/kernel/debug/dynamic_debug/control |wc
    622    5683   64665

BUG: unable to handle kernel paging request at ffffffffa01c480f
[  412.226289] IP: [<ffffffff8123b31b>] ddebug_proc_show+0x1b/0xa0
[  412.226289] PGD 1806067 PUD 180a063 PMD 376e8067 PTE 0
[  412.226289] Oops: 0000 [#1] SMP
[  412.226289] last sysfs file: /sys/devices/system/cpu/cpu7/cache/index2/shared_cpu_map
[  412.226289] CPU 5
[  412.226289] Modules linked in: autofs4 edd nfs lockd fscache nfs_acl auth_rpcgss sunrpc af_packet cpufreq_conservative cpufreq_userspace cpufreq_powersave 
acpi_cpufreq mperf fuse reiserfs loop dm_mod igb i5400_edac ioatdma edac_core floppy sr_mod shpchp iTCO_wdt iTCO_vendor_support cdrom container button 
pci_hotplug i2c_i801 i5k_amb serio_raw dca sg pcspkr ext4 jbd2 crc16 uhci_hcd radeon ttm drm_kms_helper ehci_hcd drm usbcore sd_mod i2c_algo_bit fan thermal 
processor thermal_sys ata_generic ata_piix ahci libahci libata scsi_mod
[  412.226289]
[  412.226289] Pid: 3451, comm: cat Not tainted 2.6.35-rc3-vanilla #5 X7DWN/X7DW3
[  412.226289] RIP: 0010:[<ffffffff8123b31b>]  [<ffffffff8123b31b>] ddebug_proc_show+0x1b/0xa0
[  412.226289] RSP: 0018:ffff880078761e68  EFLAGS: 00010286
[  412.226289] RAX: ffffffff8163fe20 RBX: ffffffffa01c47e8 RCX: ffff8800370ec3e0
[  412.226289] RDX: ffff8800370ec3e0 RSI: ffffffffa01c47e8 RDI: ffff880036e24740
[  412.226289] RBP: ffff880078761e98 R08: 0000000000000001 R09: 000000000000ffff
[  412.226289] R10: 0000000000000003 R11: 000000000000000a R12: ffff880036e24740
[  412.226289] R13: 0000000000000ec7 R14: ffff880078761ed0 R15: 0000000000000000
[  412.226289] FS:  00007f9f0982c700(0000) GS:ffff880001d40000(0000) knlGS:0000000000000000
[  412.226289] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  412.226289] CR2: ffffffffa01c480f CR3: 0000000037a08000 CR4: 00000000000006e0
[  412.226289] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  412.226289] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  412.226289] Process cat (pid: 3451, threadinfo ffff880078760000, task ffff880036536480)
[  412.226289] Stack:
[  412.226289]  ffff880078761e78 ffffffff8123b3e7 000000000000002d ffff8800379cae40
[  412.226289] <0> ffffffffa01c47e8 ffff880036e24740 ffff880078761f08 ffffffff8114eca9
[  412.226289] <0> ffff880078761f48 0000000000001000 0000000000611000 ffff8800379cae40
[  412.226289] Call Trace:
[  412.226289]  [<ffffffff8123b3e7>] ? ddebug_proc_start+0x27/0x100
[  412.226289]  [<ffffffff8114eca9>] seq_read+0x269/0x430
[  412.226289]  [<ffffffff81131ec8>] vfs_read+0xc8/0x1a0
[  412.226289]  [<ffffffff81132090>] sys_read+0x50/0x90
[  412.226289]  [<ffffffff81002e2b>] system_call_fastpath+0x16/0x1b
[  412.226289] Code: ee ff 48 83 c4 08 5b c9 c3 0f 1f 80 00 00 00 00 55 48 89 e5 41 54 49 89 fc 53 48 89 f3 48 83 ec 20 48 83 fe 01 48 8b 57 60 74 75 <0f> b6 46 
27 c6 45 e1 00 83 e0 01 83 f8 01 19 c0 83 e0 bd 83 c0
[  412.226289] RIP  [<ffffffff8123b31b>] ddebug_proc_show+0x1b/0xa0
[  412.226289]  RSP <ffff880078761e68>
[  412.226289] CR2: ffffffffa01c480f


Here another try with verbose=1 (in dynamic_debug.c).
This time no backtrace again:

[  222.788975] ddebug_proc_open: called
[  222.797015] ddebug_proc_start: called m=ffff88015a100340 *pos=0
[  222.809390] ddebug_proc_show: called m=ffff88015a100340 p=0000000000000001
[  222.823733] ddebug_proc_next: called m=ffff88015a100340 p=0000000000000001 *pos=0
[  222.839181] ddebug_proc_show: called m=ffff88015a100340 p=ffffffff81909820
[  222.853423] ddebug_proc_next: called m=ffff88015a100340 p=ffffffff81909820 *pos=1
[  222.868866] ddebug_proc_show: called m=ffff88015a100340 p=ffffffff81909848
[  222.868879] ddebug_proc_next: called m=ffff88015a100340 p=ffffffff81909848 *pos=2
[  222.868887] ddebug_proc_show: called m=ffff88015a100340 p=ffffffff81909870
[  222.868896] ddebug_proc_next: called m=ffff88015a100340 p=ffffffff81909870 *pos=3
[  222.868904] ddebug_proc_show: called m=ffff88015a100340 p=ffffffff81909898
[  222.868913] ddebug_proc_next: called m=ffff88015a100340 p=ffffffff81909898 *pos=4
[  222.868920] ddebug_proc_show: called m=ffff88015a100340 p=ffffffff819098c0
[  222.868930] ddebug_proc_next: called m=ffff88015a100340 p=ffffffff819098c0 *pos=5
[  222.868937] ddebug_proc_show: called m=ffff88015a100340 p=ffffffff819098e8
[  222.868947] ddebug_proc_next: called m=ffff88015a10034

<- KDUMP/CRASH kernel gets loaded ->

[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Linux version 2.6.35-rc3-vanilla (trenn@ett) (gcc version 4.3.4 [gcc-4_3-branch revision 152973] (SUSE Linux) ) #6 SMP Fri Jul 2 18:39:34 CEST 2010
[    0.000000] Command line: root=/dev/sda7 console=tty0 console=ttyS0,57600 sysrq_always_enabled panic=100 ignore_loglevel resume=/dev/disk/by-id/ata-
WDC_WD1200JS-00NCB1_WD-WCANM5535606-part2  quiet  vga=normal elevator=deadline sysrq=1 reset_devices irqpoll maxcpus=1  memmap=exactmap 
memmap=640K@0K memmap=261484K@...08K elfco

View attachment ".config" of type "text/x-mpsub" (114108 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ